Download to read offline
![DFIR Forensic Analysts are on the front lines
of computer investigations. This guide aims
to support Forensic Analysts in their quest
to uncover the truth.
File System Layer Tools (Partition Information)
fsstat -Displays details about the file system
# fsstat imagefile.dd
Data Layer Tools (Block or Cluster)
blkcat -Displays the contents of a disk block
# blkcat imagefile.dd block_num
blkls -Lists contents of deleted disk blocks
# blkls imagefile.dd > imagefile.blkls
blkcalc-Maps between dd images and blkls results
# blkcalc imagefile.dd -u blkls_num
blkstat -Display allocation status of block
# blkstat imagefile.dd cluster_number
MetaData Layer Tools (Inode, MFT, or Directry Entry)
ils -Displays inode details
# ils imagefile.dd
istat -Displays information about a specific inode
# istat imagefile.dd inode_num
icat -Displays contents of blocks allocated to an inode
# icat imagefile.dd inode_num
ifind -Determine which inode contains a specific block
# ifind imagefile.dd –d block_num
Filename Layer Tools
fls -Displays deleted file entries in a directory inode
# fls -rpd imagefile.dd
ffind -Find the filename that using the inode
# ffind imagefile.dd inode_num
Sleuthkit Tools
Purpose
How To Use This Sheet
When performing an investigation it is helpful to be
reminded of the powerful options available to the
investigator. This document is aimed to be a
reference to the tools that could be used. Each of
these commands runs locally on a system.
This sheet is split into these sections:
• Mounting Images
• Shadow Timeline Creation
• Mounting Volume Shadow Copies
• Memory Analysis
• Recovering Data
• Creating Supert Timelines
• String Searches
• The Sleuthkit
• Stream Extraction
TIME TO GO HUNTING
Step 1 – Attach Local or Remote System Drive
# ewfmount system-name.E01 /mnt/ewf
Step 2 – Mount VSS Volume
# cd /mnt/ewf
# vshadowmount ewf1 /mnt/vss
Step 3 – Run fls across ewf1 mounted image
# cd /mnt/ewf
# fls –r –m C: ewf1 >> /cases/vss-
bodyfile
Step 4 – Run fls Across All Snapshot Images
# cd /mnt/vss
# for i in vss*; do fls -r –m C: $i
>> /cases/vss-bodyfile; done
Step 5 – De-Duplicate Bodyfile using sort and uniq
# sort /cases/vss-bodyfile | uniq >
/cases/vss-dedupe-bodyfile
Step 6 – Run mactime Against De-Duplicated Bodyfile
# mactime –d –b /cases/vss-dedupe-
bodyfile –z EST5EDT MM-DD-YYYY..MM-
DD-YYYY > /cases/vss-timeline.csv
Shadow Timeline Creation
vol.py command –f
/path/to/windows_xp_memory.img --
profile=WinXPSP3x86
[Supported commands]
connscan Scan for connection objects
files list of open files process
imagecopy Convert hibernation file
procdump Dump process
pslist list of running processes
sockscan Scan for socket objects
Memory Analysis
SIFT
WORKSTATION
Cheat Sheet v3.0
SANS DFIR
http://computer-forensics.sans.org
http://blogs.sans.org/computer-forensics](https://image.slidesharecdn.com/siftcheatsheet-230905080732-100984e9/85/sift_cheat_sheet-pdf-1-320.jpg)
![DFIR Forensic Analysts are on the front lines
of computer investigations. This guide aims
to support Forensic Analysts in their quest
to uncover the truth.
File System Layer Tools (Partition Information)
fsstat -Displays details about the file system
# fsstat imagefile.dd
Data Layer Tools (Block or Cluster)
blkcat -Displays the contents of a disk block
# blkcat imagefile.dd block_num
blkls -Lists contents of deleted disk blocks
# blkls imagefile.dd > imagefile.blkls
blkcalc-Maps between dd images and blkls results
# blkcalc imagefile.dd -u blkls_num
blkstat -Display allocation status of block
# blkstat imagefile.dd cluster_number
MetaData Layer Tools (Inode, MFT, or Directry Entry)
ils -Displays inode details
# ils imagefile.dd
istat -Displays information about a specific inode
# istat imagefile.dd inode_num
icat -Displays contents of blocks allocated to an inode
# icat imagefile.dd inode_num
ifind -Determine which inode contains a specific block
# ifind imagefile.dd –d block_num
Filename Layer Tools
fls -Displays deleted file entries in a directory inode
# fls -rpd imagefile.dd
ffind -Find the filename that using the inode
# ffind imagefile.dd inode_num
Sleuthkit Tools
Purpose
How To Use This Sheet
When performing an investigation it is helpful to be
reminded of the powerful options available to the
investigator. This document is aimed to be a
reference to the tools that could be used. Each of
these commands runs locally on a system.
This sheet is split into these sections:
• Mounting Images
• Shadow Timeline Creation
• Mounting Volume Shadow Copies
• Memory Analysis
• Recovering Data
• Creating Supert Timelines
• String Searches
• The Sleuthkit
• Stream Extraction
TIME TO GO HUNTING
Step 1 – Attach Local or Remote System Drive
# ewfmount system-name.E01 /mnt/ewf
Step 2 – Mount VSS Volume
# cd /mnt/ewf
# vshadowmount ewf1 /mnt/vss
Step 3 – Run fls across ewf1 mounted image
# cd /mnt/ewf
# fls –r –m C: ewf1 >> /cases/vss-
bodyfile
Step 4 – Run fls Across All Snapshot Images
# cd /mnt/vss
# for i in vss*; do fls -r –m C: $i
>> /cases/vss-bodyfile; done
Step 5 – De-Duplicate Bodyfile using sort and uniq
# sort /cases/vss-bodyfile | uniq >
/cases/vss-dedupe-bodyfile
Step 6 – Run mactime Against De-Duplicated Bodyfile
# mactime –d –b /cases/vss-dedupe-
bodyfile –z EST5EDT MM-DD-YYYY..MM-
DD-YYYY > /cases/vss-timeline.csv
Shadow Timeline Creation
vol.py command –f
/path/to/windows_xp_memory.img --
profile=WinXPSP3x86
[Supported commands]
connscan Scan for connection objects
files list of open files process
imagecopy Convert hibernation file
procdump Dump process
pslist list of running processes
sockscan Scan for socket objects
Memory Analysis
SIFT
WORKSTATION
Cheat Sheet v3.0
SANS DFIR
http://computer-forensics.sans.org
http://blogs.sans.org/computer-forensics](https://image.slidesharecdn.com/siftcheatsheet-230905080732-100984e9/75/sift_cheat_sheet-pdf-1-2048.jpg)
![Recovering Data
mount -t fstype [options] image mountpoint
image can be a disk partition or dd image file
[Useful Options]
ro mount as read only
loop mount on a loop device
noexec do not execute files
ro mount as read only
loop mount on a loop device
offset=<BYTES> logical drive mount
show_sys_files show ntfs metafiles
streams_interface=windows use ADS
Example: Mount an image file at mount_location
# mount –o
loop,ro,show_sys_files,streams_interface=window
s imagefile.dd /mnt/windows_mount
Mounting DD Images
# ewfmount image.E01 mountpoint
# mount –o
loop,ro,show_sys_files,streams_interface=window
s /mnt/ewf/ewf1 /mnt/windows_mount
Mounting E01 Images
Create Unallocated Image (deleted data) using blkls
# blkls imagefile.dd >
unallocated_imagefile.blkls
Create Slack Image Using dls (for FAT and NTFS)
# blkls –s imagefile.dd > imagefile.slack
foremost Carves out files based on headers and footers
data_file.img = raw data, slack space, memory, unallocated space
# foremost –o outputdir –c
/path/to/foremost.conf data_file.img
sigfind - search for a binary value at a given offset (-o)
-o <offset> start search at byte <offset>
# sigfind <hexvalue> -o <offset>
# log2timeline –r –p –z <system-timezone>
–f <type-input> /mnt/windows_mount –w
timeline.csv
file|dir artifact target
-f <TYPE-INPUT> input format
-o <TYPE-OUTPUT> output format: default csv file
-w <FILE> append to log file
-z <SYSTEM TIMEZONE>
-Z <OUTPUT TIMEZONE>
-r recursive mode
-p preprocessors
# mount –o
loop,ro,show_sys_files,streams_interface=windows
imagefile.dd /mnt/windows_mount
# log2timeline –z EST5EDT –p –r -f win7
/mnt/windows_mount -w /cases/bodyfile.txt
# l2t_process –b /cases/bodyfile.txt –w
whitelist.txt 04-02-2012 > timeline.csv
Creating Super Timelines
# bulk_extractor <options> –o output_dir
image
[Useful Options]
-o outdir
-f <regex> regular expression term
-F <rfile> file of regex terms
-Wn1:n2 extract words between n1
and n2 in length
-q nn quiet mode.
-e scanner enables a scanner.
-e wordlist - enable scanner wordlist
-e aes - enable scanner aes
-e net - enable scanner net
# bulk_extractor -F keywords.txt –e net
-e aes -e wordlist -o /cases/bulk-
extractor-memory-output /cases/
memory-raw.001
Stream Extraction
Forensic Analysis
Cheat Sheet
Forensics
MANDIANT
contact@mandiant.com
703.683.3141
http://www.mandiant.org
# rip.pl –r <HIVEFILE> –f <HIVETYPE>
[Useful Options]
-r Registry hive file to parse <HIVEFILE>
-f Use <HIVETYPE> (e.g. sam, security,
software, system, ntuser)
-l List all plugins
# rip.pl –r
/mnt/windows_mount/Windows/System32/config/SAM –f sam
> /cases/windowsforensics/SAM.txt
Registry Parsing - Regripper
# deleted.pl <HIVEFILE>
# deleted.pl
/mnt/windows_mount/Windows/System32/config/SAM >
/cases/windowsforensics/SAM_DELETED.txt
Recover Deleted Registry Keys
Stage 1 – Attach local or remote system drive
# ewfmount system-name.E01 /mnt/ewf
Stage 2 – Mount raw image VSS
# vshadowmount ewf1 /mnt/vss/
Stage 3 – Mount all logical filesystem of snapshot
# cd /mnt/vss
# for i in vss*; do mount -o
ro,loop,show_sys_files,streams_interface=
windows $i /mnt/shadow_mount/$i; done
Mounting Volume Shadow Copies](https://image.slidesharecdn.com/siftcheatsheet-230905080732-100984e9/85/sift_cheat_sheet-pdf-2-320.jpg)
Uploaded byNaveenVarma Chintalapati
sift_cheat_sheet.pdf
This document provides a summary of various digital forensics tools for analysts to use in computer investigations. It outlines tools for analyzing the file system, data, metadata, and filename layers as well as mounting disk images, recovering deleted data, parsing the registry, and extracting memory analysis. The goal is to serve as a quick reference guide for investigators on the available options to uncover the truth.
![First Responder Course - Session 10 - Static Evidence Collection [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-10-staticevidencecollection-130419072255-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
sift_cheat_sheet.pdf
- 1. DFIR Forensic Analystsare on the front lines of computer investigations. This guide aims to support Forensic Analysts in their quest to uncover the truth. File System Layer Tools (Partition Information) fsstat -Displays details about the file system # fsstat imagefile.dd Data Layer Tools (Block or Cluster) blkcat -Displays the contents of a disk block # blkcat imagefile.dd block_num blkls -Lists contents of deleted disk blocks # blkls imagefile.dd > imagefile.blkls blkcalc-Maps between dd images and blkls results # blkcalc imagefile.dd -u blkls_num blkstat -Display allocation status of block # blkstat imagefile.dd cluster_number MetaData Layer Tools (Inode, MFT, or Directry Entry) ils -Displays inode details # ils imagefile.dd istat -Displays information about a specific inode # istat imagefile.dd inode_num icat -Displays contents of blocks allocated to an inode # icat imagefile.dd inode_num ifind -Determine which inode contains a specific block # ifind imagefile.dd –d block_num Filename Layer Tools fls -Displays deleted file entries in a directory inode # fls -rpd imagefile.dd ffind -Find the filename that using the inode # ffind imagefile.dd inode_num Sleuthkit Tools Purpose How To Use This Sheet When performing an investigation it is helpful to be reminded of the powerful options available to the investigator. This document is aimed to be a reference to the tools that could be used. Each of these commands runs locally on a system. This sheet is split into these sections: • Mounting Images • Shadow Timeline Creation • Mounting Volume Shadow Copies • Memory Analysis • Recovering Data • Creating Supert Timelines • String Searches • The Sleuthkit • Stream Extraction TIME TO GO HUNTING Step 1 – Attach Local or Remote System Drive # ewfmount system-name.E01 /mnt/ewf Step 2 – Mount VSS Volume # cd /mnt/ewf # vshadowmount ewf1 /mnt/vss Step 3 – Run fls across ewf1 mounted image # cd /mnt/ewf # fls –r –m C: ewf1 >> /cases/vss- bodyfile Step 4 – Run fls Across All Snapshot Images # cd /mnt/vss # for i in vss*; do fls -r –m C: $i >> /cases/vss-bodyfile; done Step 5 – De-Duplicate Bodyfile using sort and uniq # sort /cases/vss-bodyfile | uniq > /cases/vss-dedupe-bodyfile Step 6 – Run mactime Against De-Duplicated Bodyfile # mactime –d –b /cases/vss-dedupe- bodyfile –z EST5EDT MM-DD-YYYY..MM- DD-YYYY > /cases/vss-timeline.csv Shadow Timeline Creation vol.py command –f /path/to/windows_xp_memory.img -- profile=WinXPSP3x86 [Supported commands] connscan Scan for connection objects files list of open files process imagecopy Convert hibernation file procdump Dump process pslist list of running processes sockscan Scan for socket objects Memory Analysis SIFT WORKSTATION Cheat Sheet v3.0 SANS DFIR http://computer-forensics.sans.org http://blogs.sans.org/computer-forensics
- 2. Recovering Data mount -tfstype [options] image mountpoint image can be a disk partition or dd image file [Useful Options] ro mount as read only loop mount on a loop device noexec do not execute files ro mount as read only loop mount on a loop device offset=<BYTES> logical drive mount show_sys_files show ntfs metafiles streams_interface=windows use ADS Example: Mount an image file at mount_location # mount –o loop,ro,show_sys_files,streams_interface=window s imagefile.dd /mnt/windows_mount Mounting DD Images # ewfmount image.E01 mountpoint # mount –o loop,ro,show_sys_files,streams_interface=window s /mnt/ewf/ewf1 /mnt/windows_mount Mounting E01 Images Create Unallocated Image (deleted data) using blkls # blkls imagefile.dd > unallocated_imagefile.blkls Create Slack Image Using dls (for FAT and NTFS) # blkls –s imagefile.dd > imagefile.slack foremost Carves out files based on headers and footers data_file.img = raw data, slack space, memory, unallocated space # foremost –o outputdir –c /path/to/foremost.conf data_file.img sigfind - search for a binary value at a given offset (-o) -o <offset> start search at byte <offset> # sigfind <hexvalue> -o <offset> # log2timeline –r –p –z <system-timezone> –f <type-input> /mnt/windows_mount –w timeline.csv file|dir artifact target -f <TYPE-INPUT> input format -o <TYPE-OUTPUT> output format: default csv file -w <FILE> append to log file -z <SYSTEM TIMEZONE> -Z <OUTPUT TIMEZONE> -r recursive mode -p preprocessors # mount –o loop,ro,show_sys_files,streams_interface=windows imagefile.dd /mnt/windows_mount # log2timeline –z EST5EDT –p –r -f win7 /mnt/windows_mount -w /cases/bodyfile.txt # l2t_process –b /cases/bodyfile.txt –w whitelist.txt 04-02-2012 > timeline.csv Creating Super Timelines # bulk_extractor <options> –o output_dir image [Useful Options] -o outdir -f <regex> regular expression term -F <rfile> file of regex terms -Wn1:n2 extract words between n1 and n2 in length -q nn quiet mode. -e scanner enables a scanner. -e wordlist - enable scanner wordlist -e aes - enable scanner aes -e net - enable scanner net # bulk_extractor -F keywords.txt –e net -e aes -e wordlist -o /cases/bulk- extractor-memory-output /cases/ memory-raw.001 Stream Extraction Forensic Analysis Cheat Sheet Forensics MANDIANT contact@mandiant.com 703.683.3141 http://www.mandiant.org # rip.pl –r <HIVEFILE> –f <HIVETYPE> [Useful Options] -r Registry hive file to parse <HIVEFILE> -f Use <HIVETYPE> (e.g. sam, security, software, system, ntuser) -l List all plugins # rip.pl –r /mnt/windows_mount/Windows/System32/config/SAM –f sam > /cases/windowsforensics/SAM.txt Registry Parsing - Regripper # deleted.pl <HIVEFILE> # deleted.pl /mnt/windows_mount/Windows/System32/config/SAM > /cases/windowsforensics/SAM_DELETED.txt Recover Deleted Registry Keys Stage 1 – Attach local or remote system drive # ewfmount system-name.E01 /mnt/ewf Stage 2 – Mount raw image VSS # vshadowmount ewf1 /mnt/vss/ Stage 3 – Mount all logical filesystem of snapshot # cd /mnt/vss # for i in vss*; do mount -o ro,loop,show_sys_files,streams_interface= windows $i /mnt/shadow_mount/$i; done Mounting Volume Shadow Copies